Proactive defence: SOCs and threat hunters
Current and emerging cyber threats and strategies to defeat them
It's been a busy year for those involved in cyber security and, more broadly, data governance. While 2018 has (so far) lacked the pyrotechnics of 2017's ransomware spectaculars, it has seen the introduction of far-reaching legislation as well as a steady stream of incidents blamed on state-sponsored actors.
Legislation to the fore
May saw the introduction of the GDPR and with it a deal of panicked scrabbling to get houses in order - and an awful lot of emails. While the first fines have yet to be dished out under GDPR, there has been no shortage of activity on that front. One legal firm reported a ten-fold increase in security breach cases as companies fear the consequences of covering them up and consumers are emboldened to make claims.
Meanwhile, privacy activists like Max Schrems wasted no time in filing claims against those they see as the worst offenders such as Facebook and Google. What with that, Cambridge Analytica and Zuckerberg's obfuscations, Facebook has been a regular feature of the security columns this year.
But the GDPR is only one example of where laws around data are being tightened. Tesco Bank was fined £16.4m not by the ICO but by the Financial Conduct Authority for a major data breach that happened in 2016.
All around us new rules and regulations are being drawn up, and regulators are more prepared to take action.
TSB made the wrong sort of headlines
And it′s not only about the fines of course. Reputational damage can be just as damaging. Just ask Paul Pester, ex-CEO of TSB Bank. After a botched rollout which allowed cybercriminals to drain a number of accounts Pester was eventually forced to resign. He was replaced yesterday by Debbie Crosbie, who has vowed to take a much more hands-on approach to customer relations in a bid to rebuild the bank's tattered reputation.
Skimming the clouds
As in previous years, the headlines were full of giant businesses brought low by cybercriminals and hackers. Two recent incidents were probably perpetrated by the same criminal group: Magecart.
Rather than hacking Ticketmaster or BA directly, Magecart compromised cloud-based vendors whose web services were used by the targets' ecommerce sites. In this way, Magecart effectively skimmed customers credit cards using scripts hosted on third-party domains. Ticketmaster and BA are the household names that were hit, but it′s estimated that up to 800 ecommerce firms may have been affected.
Ransomware - keeping a low profile
Last year′s bogeyman, Ransomware, has so far kept a low profile this year. In terms of malicious email payloads and overall infections, it has been overtaken by cryptomining malware, presumably because this proved more lucrative to the cybercriminals as the value of cryptocurrencies soared.
In some ways this is good news. Cryptominers take a little CPU power and smidgen bandwidth and use them to mine cryptocurrencies. Their presence indicates a security vulnerability, for sure, and may be a precursor for other attacks, but they have a far lower impact than ransomware.
Perhaps lulled into a false sense of security, NHS Digital decided to ignore advice to spend £1 bn on defending its systems against ransomware. Obviously the NHS must be careful with its spending priorities, but thinking back to last year when some Trusts were partially closed down by WannaCry, that seems to us to be a false economy, because ransomware is still very much out there and few experts believe that it has had its day. This summer the ports of San Diego and Barcelona were both hit by ransomware attacks, and the SamSam strain badly affected the city of Atlanta in the US in May.
Indeed, among the Computing readership ransomware is still very much top of mind according to our recent research, sitting just behind other malware, viruses and Trojans as a cause of concern, and equal to email fraud and social engineering - which of course are mechanisms by which ransomware is often delivered.
Last year it was WannaCry, the malware that ripped through the NHS last year, brought trains in Germany to a standstill and disrupted car production at Renault that garnered the most headlines, but it was not actually the most damaging strain. That dubious accolade belongs to NotPetya, the worm - almost certainly created by the Russian military - which spread like wildfire across the world and very nearly led to the collapse of the shipping company Maersk. Unlike other ransomware, NotPetya was not about the ransom - it was about destruction. One senior Ukrainian government official estimated that 10 per cent of all computers in that country were wiped. While 2018 has so far escaped such attacks, NotPetya was particularly worrying because of the speed with which it spread - as well as it's probably provenance.
SamSam is different again. It is not spread through email or phishing but rather through brute forcing weak passwords. It is much more targeted than WannaCry and NotPetya, and it is able to cover its tracks by storing much of its workings in memory. While it may write a few files to disk, the payload is inaccessible unless you can intercept the script that started the chain of events. For most intents and purposes it can be considered fileless malware.
Also new in 2018 was GandCrab which uses a ransomware-as-a-service model to deliver the malware with ransom demands for payment in the Dash cryptocurrency.
So ransomware is evolving and who knows what the next round will bring? The worry is that in the hands of state actors it could be very dangerous indeed.
Supply chain attacks
Speaking of state actors, a big story last month involved a so-called ‘supply chain attack' by China. Allegedly a tiny spy chip was introduced into a Chinese-made circuit boards destined for Supermicro servers, which are widely used by enterprises including Apple, Amazon and departments of the US Government. All of these parties vehemently deny the Bloomberg story, as well they might, and unusually have been swiftly backed up in their denials by the UK and US intelligence agencies.
How clean is your software supply chain?
Date: 29 November 2018. Venue: The Savoy, London, from 6.30pm
At this Computing Dining Club, meet confidentially with other CIOs, CISOs and IT leaders with the same concerns to discuss how they are tackling this growing problem, learn about some of the latest research, and what you can do to ensure that your organisation's software supply chain is as safe, secure and clean as it can be.
Make of that what you will, but supply chain attacks which involve compromising hardware and firmware in the production line are a real concern as they are very difficult to defend against, allowing low-level access to an attacker.
Of course, it doesn′t take outside interference to introduce hardware vulnerabilities. Take Specter and Meltdown, two vulnerabilities in chipsets that Intel was accused of knowing about but covering up. Other chip vendors including AMD were also affected. We don′t know of any time they′ve been exploited in the wild but again, they would have allowed low-level access to an intruder.
Another story featured Via Technologies, whose server chips were found to contain a back door to allow for admin access. It should be clear by now, though, that backdoors aren′t choosy about who users them and a vulnerability no matter what their intended purpose.
A military footing
With businesses distributed in the cloud and across national boundaries, with even relatively simple websites being a mass of third-party services, with supply chains growing ever more complex, with criminals reusing offensive technologies leaked from the NSA and with state actors detonating powerful malware seemingly without a care for who is in the blast zone, it′s no wonder organisations are feeling severely outgunned.
It's likely that every organisation of any size has already been compromised to some extent. Certainly it's wise to assume that an intruder is either present or can penetrate to a certain depth at will. Rather than keeping them out, the issue then becomes how to limit the damage that can be done.
A number of studies have found that the dwell time of an attack - the length of time between an intrusion and its mitigation - is around six months, on average. That's six months in which attackers are free to wander round the network, stealing, obstructing, deleting and corrupting - or perhaps just observing activities in preparation for a later assault. And that's just the average. The Sony attackers are believed to have been present for four years.
Clearly, it′s no longer enough to fall back into a reactive stance. Tomorrow′s threats will be different to today′s and a proactive multi-layered posture is required.
One approach that more organisations are turning to is a SOC - a Security Operations Centre - a suitably military-sounding name for organisations on a cyber war footing. Once the preserve of large enterprises, a SOC is a dedicated department with the role of monitoring, assessing and defending the organisation′s IT systems - web sites, applications, databases, data centres and servers, networks and other endpoints.
A SOC is an entity that's separate from the core IT team, although it may ultimately report to the CIO, often via the CISO. The SOC also has strong connections to the physical security team in recognition of the fact that gaps between formal responsibilities represent opportunities for attackers to get in.
The SOC's core mission is to avoid security failures that have a direct impact on the brand and or otherwise affect the overall standing of the company. It does this by creating a set of standardised responses to incidents to make sure nothing is overlooked and that everyone knows what to do in the event of an attack.
It may be in house, fully outsourced or a combination of the two. Whichever option is chosen it′s not going to come cheap, though. The SOC must be built to fit the organisation′s needs - there is no one size fits all, and bespoke design generally comes with a big price tag.
Then again, the increasing prevalence and sophistication of cyber-attacks mean the benefits that a SOC brings are ever more tangible and the associated costs easier to justify.
While SOCs are still relatively rare outside of large organisations, we asked an audience of IT professionals to pick the main advantage of deploying a SOC.
′A better all-round view on all information and data processing systems across the business′ was the most mentioned benefit, followed by having ‘a single-pane-of-glass ability to monitor and manage threat' and the opportunity to build or buy in ‘a high calibre of security skills'.
The main idea behind SOCs is professionalising security by giving it a defined role and thus ensuring that as many bases as possible are covered.
Security experts in the SOC seek to gain an in-depth understanding of how hostile actors behave, their motivations and the methods they use to break into a network. They then work on ways to block the attacker at each stage.
Another term borrowed from the military is the killchain - the set of moves an attacker will perform to meet its objectives. It's the job of the SOC to anticipate the actions of the attacker and disrupt them at each stage of the chain.
An attacker will first study an organisation looking for a way in. An unmaintained Internet-connected machine makes a handy entry point for example, and a sysadmin is a likely target for phishing emails. Once the weak point has been identified an attack can be designed, perhaps involving malware delivered via a phishing attempt. Having broken into the network, the attackers can make themselves at home, setting up communications with a command and control centre, taking measures to obscure their presence, and then begin doing the job they came to do, be that stealing or altering data or causing systems to fail.
In defence, the SOC will investigate and respond to suspicious activity through following tried and tested procedures, some of which may be automated. These follow the following pattern: Identify, Protect, Detect, Respond and Recover.
A SOC employs a variety of skills including managers, analysts and response specialists, as well as maintenance staff who deploy and look after software and hardware on the network. The SOC deploys a mixture of hardware and software to monitor, triage, display and respond to events.
Threat hunters may trawl the dark web seeking their adversary
The threat hunter
The most proactive organisations may also have a cyber threat hunter on their payroll.
Threat hunters work on the assumption that attackers have already penetrated the system. They focus on the advanced persistent threats (APTs) and other sophisticated menaces, rather than the more common scams, viruses and untargeted phishing attempts. Threat hunters carefully analyse the whole environment using security monitoring, SIEM and log analytics tools in search of malicious activity that may indicate malicious activity.
As part of a threat intelligence team, threat hunters may also hang out in darker corners of the web studying potential adversaries to discover their methods and motivations.
Firms deploying this role need to make sure this activity is performed effectively, and the resulting intelligence is incorporated into the collective consciousness of the SOC to protect the network from similar attacks in future.
For those who employ treat hunters, the main benefits were preventing threats entering the network in the first place, and identifying threats faster. Remember that six-month dwell time? If the threat hunter is worth his or her salt, this should be drastically reduced.
Those who hadn't employed threat hunters overwhelmingly blamed a lack of resource as the key reason. At an average salary of £50,000 threat hunters are not cheap, and whether they are worth the outlay will depend very much on the company's risk profile.
We heard anecdotally from one large organisation that laid off its threat hunters because they simply weren't finding enough malicious activities to be a return on investment.
The threat hunter does not carry a gun that fires silver bullets then, but few would argue that being more proactive is not a worthwhile aim.
In the toolkit
Among the newer tools available to SOCs are those that use machine learning to spot anomalies. SOCs are concerned with establishing baselines and developing standard methods to respond to and mitigate intrusions and attacks, so this is a good fit. It is a move away from rule- and signature-based methods of spotting malware to more holistic techniques such as multidimensional anomaly detection (using unsupervised machine learning) and generalisation of malicious behaviour (using supervised machine learning). It may soon be possible to hand over a swathe of activities to AI, including triage and automated mitigation.
There are log analytics tools which again seek to find anomalies, this time by automatically poring through network and application logfiles. And there's UBA (user behaviour analytics) which seeks to compare a user's current behaviour with their past behaviour as a way of flagging possible malicious actors - although the Big Brother concerns that arise over the use of such tools are clear.
Another newish tool is the cloud access security brokers (CASB). As operations have moved into the cloud and with multiple third-party vendors such as Dropbox and Salesforce playing a central role, companies need to find a way to ensure its security policies are implemented across its many cloud properties and services cloud.
A CASB sits between the cloud provider and the organisation. Essentially it does four things: discover which cloud applications are used across the business, secure data, protect against threats and ensure compliance with corporate policies. It's a concept which has been gaining traction in recent years, not only in large companies but also in smaller cloud-first outfits.
SOCs should always seek to stay ahead in the arms race, but they don't really suffer from a shortage of tools but a lack of integration between different applications can be problematic. So SOCs need to choose carefully to mind the gaps. A layered or strength-in-depth approach is the best strategy, ensuring each tool covers areas where the others are weak.
New defensive technologies are constantly emerging, so it is unlikely that the technologies in a SOC will remain the same year to year. It′s important to keep an eye on the marketplace but not to be dazzled by the next shiny thing.
Author spotlight
John Leonard
More from John Leonard
Ofcom fines TikTok £1.9m for failure to provide child safety information